Has there been a change in US banking regulations recently?
Jeff Simmons
jsimmons at goblin.punk.net
Fri Aug 13 15:24:02 EDT 2010
On Friday 13 August 2010 11:33, eric.lengvenis at wellsfargo.com wrote:
> I'd like to clarify a bit. PCI-DSS wasn't developed by the big banks. It
> isn't usually enforced by big banks except insofar as they are liable for
> PCI-DSS compliance when outsourcing to or partnering with other companies.
> So they may be forcing it on the SMBs you've worked with because they're
> liable in some way.
>
> PCI-DSS was the brainchild of Visa. I'm a member of X9F (X9F6 is the
> payment card security standards committee) and we wrote an open letter back
> in 2005 to Visa and Mastercard asking them not to set new, separate
> standards for the financial sector but to work from within X9F. They
> ignored us. Even though you clearly indicate that they aren't truly
> voluntary via your use of quotes, when the PCI group (VISA et al.) can
> unilaterally level huge fines and/or penalties for non-compliance they
> really are compulsory.
Also, PCI certification requires that all of your partners (anyone you
exchange payment card information with) be PCI compliant. At the level I work
at, it's compulsory. Presently, it seems to apply to anyone taking payment
cards over the web, and seems to be working its way down the food chain to
brick and mortar vendors. <sarcasm> For me, it's the equivalent of a
congressional full employment act, so I'm not complaining a lot. </sarcasm>
> Luckily, PCI-DSS compliance != security. Or is that unluckily because of
> how much money is wasted complying that could be better spent securing.
The latter. And for many, many, many other reasons than just the financial
hit.
--
Jeff Simmons jsimmons at goblin.punk.net
Simmons Consulting - Network Engineering, Administration, Security
"You guys, I don't hear any noise. Are you sure you're doing it right?"
-- My Life With The Thrill Kill Kult
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list